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Backup log automatically when full 
This policy setting controls Event Log behavior when the log file reaches its 
maximum size and takes effect only if the Retain old events policy setting is 
enabled. If you enable this policy setting and the Retain old events policy setting is 
enabled, the Event Log file is automatically closed and renamed when it is full. A 
new file is then started. If you disable this policy setting and the Retain old events 
policy setting is enabled, new events are discarded and the old events are retained. 
When this policy setting is not configured and the Retain old events policy setting is 
enabled, new events are discarded and the old events are retained. 
Possible values: 

Enabled 

Disabled 

Not Configured 
Normally you need RETAIN OLD EVENTS enabled also But this is already set in 
the default domain policy per the exhibit for the testlet 


QUESTION: 32 

You need to recommend a solution that meets the following requirements: 

- Log access to all shared folders on TT-FILEO2. 

- Minimize administrative effort. 

- Ensure that further administrative action is not required when new shared folders 
are added to TT-FILEO2. 

Which actions should you perform in sequence? 

To answer, move the appropriate actions from the list of actions to the answer area 
and arrange them in the correct order. (Use only actions that apply.) 

tailspin1 (exhibit): 


91 


Tailspin Toys 

Scenario 

General Background 

You are the Windows server administrator for Tailspim Toys. Tailspin Toys has a main office and 2 manufacturing office. 

— Toys recently acquired Wingtip Toys and is inthe beginning stages of merging the IT emaronments. Vingtip Toys ha: 


Technical Backgrouncithe companies use the network subnets indicated in the following table 


“company | Offies | Subnet č 
aen To ee 19.10. Hi pars | 


The Tailspin Toys network amd the Wingup Toys network are connected by a point-to-point 
dedicated 45 Mbps circuit that terminates in the main ofices 


The curremt Tailspin Toys server topology is shown in the following table. 


The Tailspin Toys environment has the following characteristics: 


- All servers are joined to the tailspentoys.com domain. 
In the Defaut Domain: Policy, the Retain old events Group Policy setting is enabled 
- An Active Drectory securty group named “Windows system administrators” is used to control al files and folders on TN 


A Tailspin Toys: administrator named Marc has been delegated rights to multiple organizational usas (OUs) and object in the 


tails pintoy s.com domain. 
- Tasispin Toys developers use Hyper-V vetual machines (VMs) for development. There are 20 development VMs named H- OE 


through TT-DEV20 


tailspin2 (exhibit): 
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Wingtip Toys 


The current Wingtip Toys server topology is shown in the following table 

[Beever nme | ö — — . —-—⅛ 

— . , ee 

SFr rr 
— | "| TT 


W W | 372.36.10.20 | 

[wrona |372.16.10.21 | Pret server . paat diven | 
|wr-ocos [302.168.110 | Comin controler, ONS server | Windows Server 2008 R2 Standard | Only Ad-mtegrated ONS zones | 
Lwrrocos [asp 198-5.33 | Come conveter, Ones verve [vraies Server 2058 R Bientot | ory so -rnegroved Cet roves | 


All servers in the Wingtip Toys environment are poined to the wingtiptoys.com domain. 
Infrastructure Services 
You must ensure that the folowing infrastructure semices requirements are met 


- All domain zones must be stored as Active Directory-irtegrated zones. 

- Only DNS servers located in the Tailspin Toys main ofice may communicate with DNS servers at Wingtip Toys 
- Only DNS suvers located in the Wingtip Toys main afice may communicate with DNS servers at Tailspin Toys. 
- All tailspintoys.com resources must be resolved from the Wingtip Toys offices. 

= All wingtiptoys.com resources must be resolved from the Tailspin Toys offices 

- Cenificates must be distituted automatically to all Tailspin Toys and Wingtip Toys computers 


Delegated Administration 
You must ensure that the folowing delegated administration requirements are met: 


- Tasispin Toys IT security administrators must be able te create, od, and delete sser objects in the wingliptoys com domai 
- Members: of the Domain Admins group in the tailspintoys.com domain must have ful acces:s to the wingtiptoys com Active Di 
A delegation policy must gant minimum access rights and simplify the process of delegating rights. 

- Minimum permessions must always be delegated to ensure that the least privilege is granted for a job or task. 

- Members: ofthe TAILSPINTOY SiHelpdesk group must be able to update drivers and add printer ports on TT-PRINTO1. 

- Members: of the TAILSPINTOYS\Helpdeck group must not be able to cancel a print job on TT- HH. 

- Talispin Toys developers must be able to start, stop, ard apply snapshots to their cevelopment VMs. 


IT Security 
You must ensure that the folowing IT secunty requirements are met: 


- Server secunty must be automated to ensure that newly deployed servers automatically have the same security configuration 
- Auditing must be configured to ensure that the deletion of user objects and OUIs is logged. 

- Microsoft Word and Microsoft Excel files must be automatically encrypted when uploaded to the Confidential document library 
Microsoft SharePoint site. 

- Multifactor authentication must control access to Tailspn Toys daman controllers. 

- All file and fider auditing must capture the reason for access. 

- All folder auditing must capture all delete actions for all existing folders and newly created folders. 

- New events must be written to the Security event log in the tailspintoys.com domain and retained indefinitely. 
Oe K on TT-FILEO1 must de encrypted by using Windows BaLockar Dive Encryption and must automatically unlock 


Build List and Reorder: 
Ordered List Tito. Ramal Choices Tide 
- perse TT-FLEU 10 Windows 
> 2008 R2 Stared ond. 
Ine e Pedy and Acceso 
G wala 10 TTF 
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Answer: 


Upgrade TT-FILEQ2 to Wind ows Se reer 2008 R2 
Standard 

From FILE. create a new Group Pobcy 
object (GPO names Log. 

Implement Advanced Aude Poley Coniquration 
settings in the Log Group Policy object (GPO) 


Explanation: 


Upgrade rtr te e, Server 2398 ET 


Standart 


Ach the loin Bate y ant éco Serves role 
rte 


Aba the cen hr aran tint ie € 


festyn on 1 Thee 


+ e anaes adt Moke ipare 
cottage © Ite Log Group Pub CCE (GPO) 


+ + 


e, appicston contro psice n tre Log 
Group Peary ert (GPO 


QUESTION: 33 

You need to recommend a solution to meet the following requirements: 

- Meet the company auditing requirements. 

- Ensure that further administrative action is not required when new folders are 
added to the file server. 

What should you recommend? (Choose all that apply.) 

tailspin1 (exhibit): 
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Tailspin Toys 

Scenario 

General Background 

You are the Windows server administrator for Tailspin Toys. Tailspin Toys has a main office and a manufacturing office. 


Tailspin Toys recently acquired Wingtip Toys and is im the beginning stages of merging the IT envronments. Wingip Toys has 
office, 


Technical Backgroundthe companies use the network subnets indicated in the following table. 


The Tailspin Toys network and the Wingtip Toys network are connected by à point-to-point 
dedicated 45 Mbps circuit that terminates in the main offices. 


_ The current Tailspin Toys server topology is shown in the following table. 


o Se 2008 Rá O ons 
. 
| Fée server . ventes Server 2000 R2 Standard | — | 
Ruas — ii Oe — 
The Tailspin Toys erviranment has the following characteristics: 


- All servers are joined to the tailspintoys com domain 

-in the Defauh Domain Policy, the Retain old events Group Policy setting is enabled. 

-An Active Directory security group named "Windows system administrators” is used to control all files and folders on RA 
- A Tailspin Toys administrator named Marc has been delegated nis to multiple organizational units (OUs) and object in the 


tailspintoys.com domain. 
- Tailspin Toys davelopars use Hyper-V virtual machines (VMs) for development. There are 20 development VMs named TT-DIE\ 


through TT-DEV20 
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Winglip Taya 


The current Wingtip Toys server topology is shawn in the following table 
|__Gurventrete(s) | sss Operating system | 


4 372.16. 10.30 Doman controler, DNS server | Windows Server 2008 M2 eee Only 4 ONS tones 
| 372.16. 30.33 —— — controler, ONS server | Windows Server Cee Standard On 1— — grated DNS zones 


WT ~APPO1 | 172.16.10.20 | | Wanxdows Server 2008 R2 Enterprue | 
WT-PBINTG: | 72.16.1021 | r 
WT-0c03 | 292.168130 


12 [irite Domen controter, COS server | Windows Server 2000 R2 Standard | Oniy AD-integrated DNG rones 


All servers in the Wingtip Toys emaronment are joined to the wingtiptoys com domain 


Infrastructure Services 
You must ensure that the following infrastructure services requirements are met: 


- All domain zones must be stored as Active Directory-integrated zones 

- Only ONS servers located in the Tailspin Toys main office may communicate with DNS servers at Wingtip Toys. 
- Only ONS servers located in the Winglip Toys main alice may communicate vath DMS servers at Nails pn Toys 
- All tailspintays com resources must be resolved from the Vwingtip Toys offices. 

- All wingtiptoys.com resources must be resolved fom the Tailspin Toys offices_ 

- Certificates must be distnbuted automatically to all Tailspin Toys and Winglip Toys computers 


Delegated Administration 
You must ensure that the following delegated ad ministration requirements are met 


- Tailspn Toys IT securfy administrators must be able to create, modiy, and delete user objects im the wingtiptoys com doman 
- Members of the Domain Admins group in the tailsgintoys com domain must have full access to the wingliptoys.cam Active Dii 
- À delegation policy must grant minimum access rights and simplify the process of delegating rights. 

- Minimum parmissions must always be delegated to ensure that the least pralege is granted for a job or task 

- Members of the TAILSPINTOYS Helpdesk group must be able to update drivers and add printer ports on TT-PRINTO 

- Members of the TAILSPINTOYS Helpdesk group must not be able to cancel a print job on TT- PRINTO1. 

- Tailspn Toys developers must be able to start. stop. and apply snapshots to their development VMs 


IT Security 
You must ensure that the following IT security requirements are met 


- Server security must be automated to ensure that newly deployed servers automatically have the same security configuration 
- Auditing must be configured to ensure that the deletion of user objects and Os is lagged 

- Microsoft Word and Microsaft Excel files must be automatically encrypted when uploaded to the Confidential document library 
Microsoft SharePoint site 

- Muhifactor authentication must control access to Tail spin Toys damain controllers 

- All file and folder auditing must capture the reason for access. 

- All folder auditing must captura all delate actions for all existing folders and newly created folders 

- New events must be written to the Security event log in the talspintoys com domain and retained indefintely 

- Drive x on TT-FILEO1 must be encrypted by using Windows BitLocker Drive Encryption and must automatically unlock. 


A. Enable the Audit File System Group Policy setting for Success. 

B. Enable the Audit object access Group Policy setting for Success. 

C. Enable the Audit File System Group Policy setting for Failure. 

D. Enable the Audit Handle Manipulation Group Policy setting for Success. 
E 


Enable the File system option of the Global Object Access Auditing Group 


Policy setting. 
F. Enable the Audit Handle Manipulation Group Policy setting for Failure. 


Answer: B, D, E 
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Explanation: 
We need to ensure that we have the following Audit scenario covered : 

# 1. - Auditing must be configured to ensure that the deletion of users objects 
and OUs is logged 

# 2. - All file and folder auditing must capture the reason for access 

# 3. - All folder auditing must capture all delete actions for all existing folders 
and newly created folders. 

# 4. - Ensure that further administrative action is not required when new 
folders are added to the file server. 

To cover # 1. - We do Enable the Audit object access Group Policy setting for 
Success. 
The Audit object access Policy category includes the following subcategories: 

Audit Application Generated 

Audit Certification Services 

Audit Detailed File Share 

Audit File Share 
Audit File System 

Audit Filtering Platform Connection 

Audit Filtering Platform Packet Drop 

Audit Handle Manipulation 

Audit Kernel Object 

Audit Other Object Access Events 

Audit Registry 

Audit SAM 
As you see below - enabling the Audit object access gives you all the above 
including the File System audit. 

Auditing Windows Server 2008 File and Folder Access 

Enabling File and Folder Auditing 

File and folder auditing is enabled and disabled using either Group Policy (for 
auditing domains, sites and organizational units) or local security policy (for single 
servers). 

To enable file and folder auditing for a single server, select Start -> All 
Programs -> Administrative Tools 
-> Local Security Policy. 

In the Local Security Policy tool, expand the Local Policies branch of the tree 
and select Audit Policy. 
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Double click on the Audit Object Access item in the list to display the 
corresponding properties page and choose whether successful, 
failed, or both types of access to files or folders may be audited: 


tit object arrea Properties 
eee e 
x Muse e scoasa 


Aus em ergs 
F Succes 
F fan 


+ aa à di mln pe tern end de configured ts 
For more Informando. see AR die access ONI 


— | me ] 


Once the settings are configured click on Apply to commit the changes and 
then OK to close the properties. 
With file and folder auditing enabled the next task is to select which files and 
folders are to be audited. 
To cover # 2. - We do Enable the Audit Handle Manipulation Group Policy 
setting for Success. 
To configure, apply, and validate a reason for object access policy, you must: 
Configure the file system audit policy. (done via Audit object access Group 
Policy setting) 
Enable auditing for a file or folder. (choose your files/folders) 


98 


Enable the handle manipulation audit policy. ( We have Just Enabled it ) 

Ensure that Advanced Audit Policy Configuration settings are not 
overwritten. 

Update Group Policy settings. 

Review and verify reason for access auditing data 

To cover * 3 and # 4. - We do Enable the File system option of the Global Object 
Access Auditing Group 
Policy setting. 

Global Object Access Auditing policy settings allow administrators to define 
computer system access control lists (SACLs) per object type for either the file 
system or registry. 

The specified SACL is then automatically applied to every object of that 
type. 

So that means that new file/folders will automatic be enrolled and no further 
administrative action is required. 

Security auditing allows you to track the effectiveness of your network defenses 
and identify attempts to circumvent them. There are a number of auditing 
enhancements in Windows Server 2008 R2 and Windows 7 that increase the level 
of detail in security auditing logs and simplify the deployment and management of 
auditing policies. 

Auditing policy 

Before you implement auditing policy, you must decide which event categories you 
want to audit. The auditing settings that you choose for the event categories define 
your auditing policy. On member servers and workstations that are joined to a 
domain, auditing settings for the event categories are undefined by default. On 
domain controllers, auditing is turned on by default. By defining auditing settings 
for specific event categories, you can create an auditing policy that suits the security 
needs of your organization. 

Audit Object Access 

This security setting determines whether to audit the event of a user accessing an 
object--for example, a file, folder, registry key, printer, and so forth--that has its 
own system access control list (SACL) specified. 

If you define this policy setting, you can specify whether to audit successes, audit 
failures, or not audit the event type at all. Success audits generate an audit entry 
when a user successfully accesses an object that has an appropriate SACL specified. 
Failure audits generate an audit entry when a user unsuccessfully attempts to access 
an object that has a SACL specified. 

To set this value to No auditing, in the Properties dialog box for this policy setting, 
select the Define these policy settings check box and clear the Success and Failure 
check boxes. 

Note that you can set a SACL on a file system object using the Security tab in that 
object's Properties dialog box. 
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Audit Handle Manipulation Group Policy setting 

This policy setting determines whether the operating system generates audit events 
when a handle to an object is opened or closed. Only objects with configured 
SACLs generate these events, and only if the attempted handle operation matches 
the SACL. Event volume can be high, depending on how SACLs are configured. 
When used together with the Audit File System or Audit Registry policy settings, 
the Audit Handle Manipulation policy setting can provide an administrator with 
useful "reason for access," audit data detailing the precise permissions on which the 
audit event is based. For example, if a file is configured as a read-only resource but 
a user attempts to save changes to the file, the audit event will log not just the event 
itself but the permissions that were used, or attempted to be used, to save the file 
changes. 

Global Object Access Auditing Group Policy setting. 

Global Object Access Auditing. In Windows Server 2008 R2 and Windows 7, 
administrators can define computer-wide system access control lists (SACLs) for 
either the file system or registry. The specified SACL is then automatically applied 
to every single object of that type. This can be useful both for verifying that all 
critical files, folders, and registry settings on a computer are protected, and for 
identifying when an issue with a system resource occurs. 
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